Added measures to work with CSP

bkraul · bkraul · commit f80e0797fa44 · 2020-07-08T13:41:15.000Z
diff --git a/BBCodePlus/BBCodePlus.php b/BBCodePlus/BBCodePlus.php
@@ -12,6 +12,7 @@ class BBCodePlusPlugin extends MantisFormattingPlugin {
       private $t_MantisCoreFormatting_process_markdown = OFF;
       private $t_bbCode = null;
       private $t_HTML = null;
+      private $t_nonceToken = null;
       //-------------------------------------------------------------------
       /**
        *  A method that populates the plugin information and minimum requirements.
@@ -22,7 +23,7 @@ function register() {
          $this->name        = plugin_lang_get( 'title' );
          $this->description = plugin_lang_get( 'description' );
          $this->page        = 'config';
-         $this->version     = '2.1.17';
+         $this->version     = '2.1.18';
 
          $this->requires['MantisCore'] = '2.0.0';
          # this plugin can coexist with MantisCoreFormatting.
@@ -74,6 +75,8 @@ function init() {
                $this->t_MantisCoreFormatting_process_markdown = OFF;
             }
          }
+         # create the random nonce token for allowing unsafe-eval on csp
+         $this->t_nonceToken = base64_encode(substr(md5(mt_rand()), 0, 12));
       }
       //-------------------------------------------------------------------
       /**
@@ -121,6 +124,8 @@ function csp_headers() {
          if ( (ON == plugin_config_get( 'process_markitup' )) && function_exists( 'http_csp_add' ) ) {
             http_csp_add( 'img-src', "*" );
             http_csp_add( 'frame-ancestors', "'self'" );
+            http_csp_add( 'script', "'self'" );
+            http_csp_add( 'script-src', "'nonce-$this->t_nonceToken'");
          }
       }
       //-------------------------------------------------------------------
@@ -132,23 +137,23 @@ function csp_headers() {
       function resources( $p_event ) {
          # includes.
          $resources = '<link rel="stylesheet" type="text/css" href="' . plugin_file( 'bbcodeplus.css' ) . '" />';
-         $resources .= '<script type="text/javascript" src="' . plugin_file( 'bbcodeplus-init.js' ) . '"></script>';
+         $resources .= '<script type="text/javascript" src="' . plugin_file( 'bbcodeplus-init.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
 
          if ( ON == plugin_config_get( 'process_markitup' ) ) {
             $resources .= '<link rel="stylesheet" type="text/css" href="' . plugin_file( 'markitup/skins/' . plugin_config_get( 'markitup_skin' ) . '/style.css' ) . '" />';
             $resources .= '<link rel="stylesheet" type="text/css" href="' . plugin_file( 'markitup/sets/mantis/style.css' ) . '" />';
-            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup/jquery_markitup.js' ) . '"></script>';
-            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup/sets/mantis/set.js' ) . '"></script>';
-            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup-init.js' ) . '"></script>';
+            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup/jquery_markitup.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
+            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup/sets/mantis/set.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
+            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup-init.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
          }
 
          if ( ON == plugin_config_get( 'process_highlight' ) ) {
             $resources .= '<link rel="stylesheet" type="text/css" href="' . plugin_file( 'prism/styles/' . plugin_config_get( 'highlight_css' ) . '.css' ) . '" />';
-            $resources .= '<script type="text/javascript" src="' . plugin_file( 'prism/prism.js' ) . '"></script>';
+            $resources .= '<script type="text/javascript" src="' . plugin_file( 'prism/prism.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
 
             # load additional languages.
             if ( ON == plugin_config_get( 'highlight_extralangs' ) ) {
-               $resources .= '<script type="text/javascript" src="' . plugin_file( 'prism/prism_additional_languages.js' ) . '"></script>';
+               $resources .= '<script type="text/javascript" src="' . plugin_file( 'prism/prism_additional_languages.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
             }
          }
 
diff --git a/README.md b/README.md
@@ -26,6 +26,10 @@ If you would like to contribute to BBCode plus, please [read this guide first](h
 
 ## Change Log
 
+### 2.1.18
+
+- Added `nonce` random token and directives for included js scripts in order to hopefully address CSP restrictions.
+
 ### 2.1.17
 
 - Fixed styling and scripting issues with issue image picker. 
